Going Contactless: You Can t Just Re-Card Anymore

Going Contactless: You Can’t “Just Re-Card” Anymore Diane Brueggeman & Bryan Crase University of Cincinnati Todd Brooks Color ID

You Can’t “Just Re-Card” Anymore Is a Contactless Card conversion on your radar?

• Decisions we made

• Processes followed • Lessons learned

It’s Complicated! University of Cincinnati (UC) Landscape • Stakeholders ○ Public Safety & Campus Services

Players • Public Safety ID production & door access • Bearcat Card* door access & POS • Cincinnati Metro Transit • Banking relationship • Others ○ Housing & Food ○ Parking ○ Rec Center

Why Convert to Contactless? New Hardware/Readers & ID’s = Better Security • Task Force

• ISO Comprised

• Security

• Migration path for future

• Mag-stripe is bad

• Contactless is cool!

We need to do something different, now what? But what technology? How does it work?

Contactless smart cards •

13.56 MHz “High Frequency” RFID Technology

•

Advanced security available – encryption

•

Additional memory, up to 16K bytes

•

Widely used for physical access, transit, payments

Card Encryption keys KEYS are like PASSWORDS that lock memory sectors on smart cards When cards are programmed for physical access, the application area on the card is locked with a key Contactless cards can have the manufacturer’s standard key, or a custom key unique to the institution Secure readers and cards usually have to be from the same manufacturer The reader holds the keys for the cards it will read HID

HID

Allegion

Allegion

Blackboard

Blackboard

Contactless card providers HID • • • •

iCLASS - 2003 “SIO” for iCLASS, MIFARE, MIFARE DESFire EV1 – 2012 SEOS, Bluetooth Mobile Access – 2014 Assa Abloy – Persona / Sargent Locks

Allegion • Originally XceedID, Ingersoll Rand, then spun off - 2013 • aptiQ: MIFARE, MIFARE DESFire EV1 • Schlage AD Series Locks Blackboard • FeliCa – 2008 • MIFARE, MIFARE DESFire EV1 - 2013

HID Secure Identity Object HID’s SIO – Secure Identity Object • Data can be anything – ID number for PACS, employee ID, ISO number • Loaded on cards by HID through AsureID software, or Over the Air (OTA) to mobile

• SIO is encrypted with AES, digitally signed, and bound to device • SIO data read at door by HID SE readers

SIO Provides added Security to Many Cards • iClass, Mifare, DESFire EV1, SEOS

SE Readers work with Cards and Mobile Access

Cards - Allegion aptiQ aptiQ Readers and Cards •

MIFARE Classic and MIFARE DESFire EV1

•

Pre-programmed by Allegion, using native NXP encryption

•

Custom encryption keys available

•

aptiQ cards work on Allegion readers and locks – AD series

Blackboard •

Blackboard readers for POS and physical access

•

Cards programmed inline during printing or at the desktop

•

MIFARE, DESFire EV1, FeliCa

How Did We Start? Received approval from VP

Secured Funding

Solicited Key Areas of the University

• Central IT, Info Security, PDC, Parking, Library, Purchasing, METRO, Communications, Medical Center, Branch Campuses, etc.

Formed a Large Committee

Things We Considered Technology

Type of Card ● ● ●

MI Fare DesFire EV1 Size of Card

Card creation for Re-Carding and beyond

Encoding HID, Blackboard, METRO

Pre-Vendor Demos

The Plan Researched Contactless Card Technology ● Information sessions with vendors

Created RFP ● Project Committee Formed ● Determined Technical Specifications ● Bearcat Card, Picture Perfect, METRO, Parking, future…

RFP Process ● ● ●

● ● ● ●

Published Responded to vendor questions Received seven responses Checked References Scored RFP responses Demos from top two responders/demo score Bid award

Student Card Design Contributions

• What We Chose & Why And the winner is… DesFire EV1

• Only card that met all of our needs • Vendor Color ID

• Card production by Color ID? • HID or Generic Card?

Printing on Site •

How does your day-to-day card operation work?

•

How long will my re-card take?

•

Do you need to hire temp workers?

•

Do you have the time and resources?

•

Wear and tear on printers

•

Consumable cost

•

Pressure on the Card Office

Pre-Printing •

More cost effective to have vendor pre-print

•

How many cards are needed for my re-carding?

•

When do I cut-off to send a file?

•

How much will customer information change?

•

What will I do with all these cards?

•

What if nobody shows up?

What Color ID Did for UC The UC conundrum

• Multiple credentials o HID, Blackboard, Metro o Parking o Production

o Encoding o Printing new ID o Resolving the wait time

Recard Process

• • • • • •

~65,000 Total Cards - 45,000 Personalized Used 6 - HDP5000 print stations Insures same card from ColorID or UC Separate Encoding Stations Press Proofs Triple Check Process

Programming cards inline HID writes data with AsureID software • Fargo Printer • CP1000 Desktop Encoder

Blackboard • Datacard Printer • MF4100

Cincinnati METRO Specification DESFire EV1 4K 14 Encryption Keys 23 Files (Data, Purses, CRCs, etc) Many Types of Products

• • • • •

Transfer Period Pass Stored Ride Stored Value Etc.

Parking Parking Systems • • • •

Typically in their own world Access control readers are weatherproof Wiegand interfaces to install access control readers for campus cards University 1000 format for Parking – T2 Systems testing

Card Issuance Dilemma • • •

• •

Picture Perfect Access Control Informix Database 6 Tables for ID Data (Reduced to 3) ISO Number Generation Process 1:Many relationships for card numbers and photos

Chuck Norris

Issuance / Encoding Solution •

Encode HID Credential at the desktop using CP1000 encoder and AsureID

•

Encode Blackboard Credential using MF4100 device

•

No Records need to be accessed for encoding

How We Made It Happen

Development

Testing

Implementation

How We Made It Happen Logistics, Logistics, Logistics • Card database cleanup • Which cards to pre-print • Order of groups to print o o o o o

CS/PS Staff Faculty/Staff, Affiliates Students (Main Campus & Branch) ELS Card distribution • Final cut-off for production data o As close to vendor printing as possible

A New Look Old university ID

Card Design • Student Design contest • Received input from students • Got the community involved!

Student Design Contest

UC Branding Approved Designs

Our Final Design NEW

Old

How We Made It Happen Logistics for 45,000 Cards ● Room configuration

● Organization of cards ● Layout of card storage

● Moving the cards daily ● Issuance

How We Made It Happen Re-Carding Events ● Activation of the cards upon issuance ● Feed to Public Safety

● Feed to PNC ● Feed to the Bearcat Card system

● UC systems updated

How We Made It Happen Re-Carding Events ● Where is my ID? ● That is not my title!

● What does the system say? ○ Experts on hand

○ Access to badge system

How We Made It Happen Being Flexible ● Special Distribution ○ Surgeons ○ Medical Students ○ Law Students

○ Branch Campuses (4)

How We Made It Happen • Marketing • Tweet from the Prez • E-blast ID events

• Face fo the Bearcat • New ID Web Site

How We Made It Happen Marketing Re-Carding Events

How We Made It Happen Marketing Re-Carding Events Your Bearcat Card does everything it always has...

and more!

How We Made It Happen New Bearcat Card Website Established www.uc.edu/ID

How We Made It Happen New Bearcat Card Website Established Prominent FAQ page featured on the site

How We Made It Happen New Bearcat Card Website Established

• Support Approach o Trouble report located directly at the bottom of the homepage

Card Distribution

Where We Are Today Public Safety Door Read Status

Bearcat Door Status

METRO

Assa Abloy Suite Doors

Rec Center

Parking

Micros POS

Lessons Learned COLORID •

White Space / Padding

•

Transit Encoding

•

Database Connections and Processes – Ask More Questions

•

Good Experience for Large Projects

Lessons Learned Distribution

• People showing up for an ID even if they never had one before • How many non-UC groups used our ID number • File cut-off timing could have been better • Need a number of willing staff to work the pick-up stations

Lessons Learned Recarding Overall

• Find the expert • Allow plenty of time for credential information exchange • Be Flexible

Questions?